|
| 1 | +--- |
| 2 | +title: Create an Application Gateway – ILB ASE | Microsoft Docs |
| 3 | +description: Learn how to troubleshoot an application gateway by using an Internal Load Balancer with an App Service Environment in Azure |
| 4 | +services: vpn-gateway |
| 5 | +documentationCenter: na |
| 6 | +author: genlin |
| 7 | +manager: cshepard |
| 8 | +editor: '' |
| 9 | +tags: '' |
| 10 | + |
| 11 | +ms.service: vpn-gateway |
| 12 | +ms.devlang: na |
| 13 | +ms.topic: troubleshooting |
| 14 | +ms.tgt_pltfrm: na |
| 15 | +ms.workload: infrastructure-services |
| 16 | +ms.date: 11/06/2018 |
| 17 | +ms.author: genli |
| 18 | +--- |
| 19 | + |
| 20 | +# Back-end server certificate is not whitelisted for an application gateway using an ILB ASE |
| 21 | + |
| 22 | +This article troubleshoots the issue in which a certificate isn't whitelisted when you create an application gateway by using an Internal Load Balancer (ILB) together with an App Service Environment (ASE) at the back end with end-to-end SSL in Azure. |
| 23 | + |
| 24 | +## Symptoms |
| 25 | + |
| 26 | +When you create an application gateway by using an ILB with an ASE at the back end, the back-end server may become unhealthy. This problem occurs if the authentication certificate of the application gateway doesn't match the configured certificate on the back-end server. See the following scenario as an example: |
| 27 | + |
| 28 | +**Application Gateway configuration:** |
| 29 | + |
| 30 | +- **Listener:** Multi-site |
| 31 | +- **Port:** 443 |
| 32 | +- **Hostname:** test.appgwtestase.com |
| 33 | +- **SSL Certificate:** CN=test.appgwtestase.com |
| 34 | +- **Backend Pool:** IP address or FQDN |
| 35 | +- **IP Address:**: 10.1.5.11 |
| 36 | +- **HTTP Settings:** HTTPS |
| 37 | +- **Port:**: 443 |
| 38 | +- **Custom Probe:** Hostname – test.appgwtestase.com |
| 39 | +- **Authentication Certificate:** .cer of test.appgwtestase.com |
| 40 | +- **Backend Health:** Unhealthy – Backend server certificate is not whitelisted with Application Gateway. |
| 41 | + |
| 42 | +**ASE configuration:** |
| 43 | + |
| 44 | +- **ILB IP:** 10.1.5.11 |
| 45 | +- **Domain name:** appgwtestase.com |
| 46 | +- **App Service:** test.appgwtestase.com |
| 47 | +- **SSL Binding:** SNI SSL – CN=test.appgwtestase.com |
| 48 | + |
| 49 | +When you access the application gateway, you receive the following error message because the back-end server is unhealthy: |
| 50 | + |
| 51 | +**502 – Web server received an invalid response while acting as a gateway or proxy server.** |
| 52 | + |
| 53 | +## Solution |
| 54 | + |
| 55 | +If you don't use a host name to access a HTTPS website, the back-end server will return the configured certificate on the default website. For an ILB ASE, the default certificate comes from the ILB certificate. If there are no configured certificates for the ILB, the certificate comes from the ASE App certificate. |
| 56 | + |
| 57 | +When you use a fully qualified domain name (FQDN) to access the ILB, the back-end server will return the correct certificate that's uploaded in the HTTP settings. In this case, consider the following options: |
| 58 | + |
| 59 | +- Use FQDN in the back-end pool of the application gateway to point to the IP address of the ILB. This option only works if you have a private DNS zone or a custom DNS configured. Otherwise, you have to create an "A" record for a public DNS. |
| 60 | + |
| 61 | +- Use the uploaded certificate on the ILB or the default certificate in the HTTP settings. The application gateway gets the certificate when it accesses the ILB's IP for the probe. |
| 62 | + |
| 63 | +- Use a wildcard certificate on the ILB and the back-end server. |
| 64 | + |
| 65 | +- Clear the **Use for App service** option for the application gateway. |
| 66 | + |
| 67 | +To reduce overhead, you can upload the ILB certificate in the HTTP settings to make the probe path work. (This is just for whitelisting. It won't be used for SSL communication.) The ILB certificate can be retrieved by accessing the ILB with its IP address on HTTPS, then exporting the SSL certificate in a Base-64 encoded CER format and uploading the certificate on the respective HTTP settings. |
| 68 | + |
| 69 | +## Need help? Contact support |
| 70 | + |
| 71 | +If you still need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your issue resolved quickly. |
0 commit comments